Legal Hack-Back

When Founder and CEO, Gadi Evron, told me Cymmetria was releasing a “hack-back” product for our customers, I had the same visceral response that every one of you is likely having right now: “Isn’t hack-back illegal?” The term conjures up thoughts of vigilante justice running amuck on the Internet.

In 1994, while I was at Rome Labs, Griffiss AFB, NY, we had a case where hackers compromised the entire set of unclassified networks on base and were using it to launch intrusions to another 120 systems downstream. I deployed a team of Air Force Office of Special Investigations (OSI) Computer Crime Investigators to Rome Labs, and the old Air Force Information Warfare Center (AFWIC) deployed their team to Rome Labs. Engineers at AFWIC had developed a “hack-back” tool that could be launched while the hacker was online; they developed this tool as a weapon to be used in a military conflict. The tool could look back into the system to where the attack was coming from and then hack into that computer. It could surveil that system, find the next computer that was attacking it, hack into it and continue that process until we were able to determine the actual origin of the attack. In a military conflict, this is another arrow in the quiver; in a criminal case, this is another story.

While it sounds great, by hacking into a system downstream, we would be violating the same statutes the hacker had violated; we could be both civilly and criminally liable. We stopped AFWIC from launching their tool. There is an entire other long story behind that. I went to the US Department of Justice, and we had a meeting with their Computer Crimes and Intellectual Property Section, the FBI and US Secret Service to discuss this new technique.

After much discussion, the DOJ unbelievably allowed AFWIC to launch their hack-back tool as long as we were in the room monitoring their activity. Unfortunately, even though the technique worked, it didn’t help us because the intruders were coming into our system from a dial-in port, not the Internet.

We eventually tracked down the intruders by using informants, but this event did start the discussion and almost immediate prohibition of hack-back. Until now.

Networks are far more complex and widespread today. Cymmetria has developed a tool and legal framework where we can provide the customer with the capability to expeditiously hack-back within their own network.

“Your network” is the key. Networks today are far more complex and often include contractors bringing their own authorized devices connected to your network, or employees who are authorized to ‘Bring Your Own Device’ (BYOD) to connect to your network. So, policies and agreements with them are critical. You must have consent to access their systems.

The Cymmetria tool is a utilitarian tool; a capsule. The customer can then determine the tools to load as a payload, and the customer decides the targets and when to execute in an expeditious manner. It’s critical that the customer understand the law (Title 18, USC 1030, Computer Fraud and Abuse Act). Although the tool can provide tremendous intel quickly, it can also be misused. If the tool is used against systems without consent, it could violate the law and the customers could be subject to both civil and criminal liability.

Every tool ever created by mankind to make our jobs easier, more fun, or more effective has been turned around and used as a weapon. A few examples include a rock, stick, hammer, golf club, spear, knife, gun, rope, bottle, fire, and computers. So, it is critically important that Cymmetria customers understand the law, and use the legal framework created by Jonathan Braverman and Gadi Evron, to create their BYOD policies as well as contracts with their contractors that allow for the legal use of the hack-back tool.

Jim Christy is VP of Investigations and Digital Forensics at Cymmetria. Jim retired from the U.S. government in 2013, ending a career investigating computer crimes and running digital forensics labs that began in 1986 at the Air Force Office of Special Investigations.